Information Security

University Management are ultimately responsible for the actions of University staff and must ensure that all staff engaged in network and systems administration duties are suitable for those roles and are made aware of the University Policies, which affect their work or use of Information technology resources.

Policy

System and network administrators require formal authorisation from the "owners" of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". With respect to the University’s Information technology resources ‘ownership’ rests with the Secretary of the University Court acting on behalf of the University authorities. In accordance with current UK legislation, Service Directors and Heads of Departments or Research groups; require delegated authority from the Secretary of the University Court before they may authorise personnel to engage in network and system administration activities. Some systems may have more complicated ownership, as they may be formally the property of departments, research groups or third parties. In such cases it will be a condition of connecting to the University campus network that authority rests with the Secretary of the University Court.

If any administrator is ever unsure about the authority they are working under they should stop and seek advice immediately as otherwise there is a risk that their actions may be in breach of the law.

Permitted Activities

The duties of system and network administrators can be divided into two areas. The first duty of an administrator is to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. Here the administrator is acting to protect the operation of the systems for which they are responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.

Many administrators also play a part in monitoring compliance with policies, which apply to the systems. For example some organisations may prohibit the sending or viewing of particular types of material; or may restrict access to certain external sites, or ban certain services from local systems or networks. The JANET Acceptable Use Policy prohibits certain uses of the network. In all of these cases the administrator is acting in support of policies, rather than protecting the operation of the system.

The law differentiates between operational and policy actions, for example in section 3(3) of the Regulation of Investigatory Powers Act, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.

Operational activities

Where necessary to ensure the proper operation of networks or computer systems for which they are responsible, authorised administrators may:

• Monitor and record traffic on those networks or display it in an appropriate form;
• Examine any relevant files on those computers;
• Rename any relevant files on those computers or change their access permissions (see Modification of Data below);
• Create relevant new files on those computers.

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from management or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user file store then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

Policy activities

Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and the policies to which it will apply. If this has not been done through a general notice to all users then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.

Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they have responsibility and authority:

• Monitor and record traffic on those networks or display it in an appropriate form;
• Examine any relevant files on those computers;
• Rename any relevant files on those computers or change their access permissions or ownership (see Modification of Data below);
• Create relevant new files on those computers;
• Under the direction and authority of the University of Glasgow Computer incident response team (UGCirt) recover computers for detailed inspection;

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from management or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user file store then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

General Roles and Responsibilities

This section describes the general roles and responsibilities applicable to network and system administrators. It is recognised that the terms network and systems administrators may mean different things to different constituencies e.g., some may use the terms interchangeably and some may combine the roles under one or the other title. However irrespective of terminology certain roles and responsibilities need to be identified and properly addressed.

Network administrators

Network administrators are responsible for the security and availability of the networks they manage. Network administrators must adhere to this and all relevant University Information Technology Policies, in particular:

• Network Connection Policy
• IT Monitoring Policy
• Wireless LAN Policy
• Incident Handling Policy
• Universal Access Policy

For each network there should be at least one network administrator available at all times during normal working hours and emergency call out procedures should be documented for other times. Network administrators should maintain a network topology map for all active equipment and proactively monitor network equipment for fault or other service affecting conditions. Detailed inventories should be maintained identifying equipment, location, purpose and maintenance schedules. All key network equipment should be manageable via snmp or other techniques. Network administrators should be aware that network equipment may be vulnerable to security attacks and should protect them accordingly, i.e.

• Restrict stations/networks allowed management access 
• Restrict user, monitor and admin accounts 
• Implement the University’s password policy 
• Choose SNMP community strings wisely 
• Implement ACLs where appropriate
• Implement ‘routing table updates’ security where appropriate 
• Limit DoS impact, e.g., restrict and rate limit ICMP 
• Limit management agents and services to those absolutely necessary 
• Configure logging on routing and switching equipment where appropriate. NB logs should be stored on a separate secure system 
• Regularly review log files for unusual events or activities 
• Report all network security incidents to the UGCirt

Management information should be collected and stored in a form that will aid the following activities:

• Performance monitoring, fault tracking and capacity planning
• Incident investigation
• Policy compliance monitoring

Network administrators should be aware of the roles and potential vulnerabilities associated with the systems that connect to their networks and provide advice to system administrators on proactive measures to help protect those systems. During the course of their duties network administrators may detect suspicious activity or security breaches. In all cases such incidents must be reported to the University of Glasgow Computer Incident Response Team, UGCirt. Network administrators will be expected to work with or under the direction of UGCirt to help resolve any security incident affecting their networks.

System administrators

System administrators are responsible for the security and availability of the network servers they manage. System administrators must adhere to this and all relevant University Information Technology Policies, in particular:

• Network Connection Policy
• IT Monitoring Policy
• Bastion Host Policy
• Incident Handling Policy
• Universal Access Policy

For each network server, service and application there should be at least one system administrator available at all times during normal working hours and emergency call out procedures should be documented for other times. It is recognised that many system administration activities will be operating system, service or application specific and that systems administrators must be proficient in those tasks. However there are a number of common security related tasks that system administrators must address irrespective of the operating environments involved i.e. they must:

• Understand the role of each server and its importance to the user community served
• Understand the range and types of vulnerabilities that may affect the network server, services and applications; conduct a risk analysis for those vulnerabilities, in collaboration with UGCirt if required
• Perform regular systems maintenance functions with respect to the following:
  • Operating system patches and hot fixes Service and application patches and hot fixes
  • Operating system, service and application software updates and new releases
• Implement vendor security configurations and recommendations. Systems administrators should familiarise themselves with all vendor specific security recommendations and relevant 'best practice' guides advertised by UGCirt
• Implement procedures that ensure early notification of newly detected vulnerabilities and vendor security patches
• Discuss security requirements with UGCirt.
• Limit operating system options, features, services and applications to those essential for the primary purpose of the network server
• Disable all IP network port numbers that are not required for the servers primary role
• Install proactive security measures where appropriate, e.g.,
  • TCP-Wrappers or their equivalents to limit the servers visibility
  • Anti-virus software to protect against malicious code
  • Access control lists (ACLs) to restrict access and service/application visibility
  • Firewall shims to extend ACLs with statefull inspections
• Enable operating system, service and application logging to record the following:
  • Connection attempts
  • Authentication results
  • Unauthorised access attempts
  • Network interface statistics
  • Unusual events
  Logs must be protected from unauthorised access or modification. Wherever possible, logs should be forwarded to a secure system for storage. It is essential that internal system clocks be synchronised via the Network Time Protocol, NTP, to ensure accurate correlation between evidence gathered from system logs.
• Review system logs regularly, and take action as appropriate.
• Checkpoint system file store with an auditing tool e.g., tripwire to help detect root kits or other altered system images
• Monitor systems operating parameters for unusual events, processes, access problems, disk anomalies
• Ensure all user access is authenticated and advise users on system authentication requirements e.g.,
• University's password recommendations, strong encryption (SSH) for remote access to user accounts if required
• Manage user accounts and access privileges (see below)
• If remote management access to a server is required then enforce strong encryption via SSH
• Restrict the use of the administrator account to tasks associated with systems administration
• Only access administrator accounts from systems and networks that are known to be secure
• Disable or delete old or unused accounts for users that no longer need access
• Produce disaster recovery plan for server, services and applications
• Perform regular system backups (see below) 
• Test restore/recovery procedures periodically
• Report all security incidents to UGCirt Request vulnerability scans from UGCirt at least twice per year
• Ensure compliance with all University information technology policies, UK laws and regulations

During the course of their duties System administrators may detect suspicious activity or security breaches. In all cases such incidents must be reported to the University of Glasgow Computer Incident Response Team, UGCirt. System administrators will be expected to work with or under the direction of UGCirt to help resolve any security incident affecting their systems.

Management of User Accounts and Access Privileges 

System administrators must establish procedures for the registration and deregistration of users, and for managing access to systems, to ensure that all users' access rights match their authorisations.

All users shall have a unique identifier (user ID) for their personal and sole use.  For University staff, it is recommended that the standard form Glasgow University ID (GUID) is used. Alternatively, if for any given system, a different form of user ID is used, then either the GUID, or the University person number (staff number) should be recorded against the account.

Users' access rights must be limited to the minimum necessary to conduct their work.

Access to all systems must be authorised by the manager responsible for the system, and a record must be maintained of such authorisations, including the appropriate access rights or privileges granted.

Users' access rights shall be adjusted appropriately, and in a timely manner, whenever there is a change in role, or the user leaves the University.  Where GUIDs are used, or person number has  been recorded, it may be possible to determine automatically from central data where staff move within the University or leave. This can be used to trigger a review of access rights, or deregistration. Otherwise, and for any accounts without GUID user ID or person number, a manual review process shall be performed at regular intervals.

Backups

Backups of all important data must be taken regularly.  Adequate facilities shall be provided to ensure data can be recovered following a disaster or media failure.  System administrators will ensure that appropriate backup and recovery procedures are implemented, documented and tested.  The procedures shall ensure:

• Appropriate backup frequency and retention times are defined, if necessary in conjunction with the data owner.
• At least 2 generations of backup are retained (3 for important applications?)
• At least 1 copy is held at a remote location at sufficient distance to escape any damage from a disaster at the main data site.
• Appropriate environmental and physical controls are in place to protect all backup media.  NB while backups reduce risks to availability and integrity of information, each additionally copy potentially increases the risks to confidentiality.
• Completion of each backup is checked and the results recorded.
• Restore procedures are regularly tested, and the results recorded.
• Backup media are disposed of securely and safely when no longer required.

Management responsibility

Management should restrict the number of persons granted privileged systems or network equipment access to those responsible for the day-to-day operation and support of the systems and networks. Granting authority and privileged access to network and networked systems represents a delegation of trust in selected individuals. System and network administrators should therefore be chosen carefully, based on personal qualities of honesty, integrity and unquestionable work ethics. Management must ensure that system and network administrators are competent for the tasks they are expected to perform and that they comply with all relevant Information Technology Policies. Management must be aware of the importance of the support roles and responsibilities associated with network administration or deploying a network server, service or application. If management cannot fulfil these obligations they should seek alternative solutions from centrally provided facilities.

Ethical considerations

Systems and Network administrators play a critical role in the security and availability of the systems and networks they are responsible for. During the course of their duties it is inevitable that they will come into contact with sensitive, personal or restricted information. For these reasons system and network administrators must display an exemplary work ethic. The following sections indicate the ethical standards expected of system and network administrators employed by the University of Glasgow.

Disclosure of information

System and network administrators are required to respect the confidentiality of files, correspondence and other data they come into contact with.

During the course of their activities, administrators are likely to become aware of information, which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific incident handling procedure:

• Information relating to the current incident may only be passed to managers or others involved in the incident; 
• Information that does not relate to the current incident must only be disclosed if it is thought to indicate an operational problem, or a breach of local policy or the law, and then only to management for them to decide whether further investigation is necessary.

Administrators must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 1998) that is stored on their systems. Authorised administrators may know such data during the course of their investigations. Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant University authority and the UGCirt.

Modification of Data

For both operational and policy reasons, it may be necessary for administrators to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:

• Rename or move files, if necessary to a secure off-line archive, rather than deleting them; 
• Instead of editing a file, move it to a different location and create a new file in its place; 
• Remove information from public view by changing permissions (and if necessary ownership).

Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations where this is not possible. In every case the user must be informed as soon as possible what change has been made and the reason for it.

The administrator may not, without specific individual authorisation from the appropriate authority modify the contents of any file in such a way as to damage or destroy information.

Professionalism

Administrator behaviour must reflect highly on the importance of the role and duties performed. Administrators will be required to work with individuals at all levels including users, senior management, vendors and other administrators and should display patience, understanding and professionalism to help ensure trust and respect is never compromised.

Administrators must not engage in any actions that may compromise their integrity or the integrity of the systems or networks they administer; in particular Administrators must not engage in any of the following activities:

• Intentionally damage or destroy any University of Glasgow ICT resources 
• Accept gifts or favours from any individual in return for providing network access, system access or elevated privileges 
• Disclose directly or through careless action information that would allow unauthorised personnel privileged system access 
• Attempt to gain or use privileged access outside their assigned areas of responsibility 
• Develop or modify computer software with the intention of circumventing systems security policies 
• Intentionally breach any University Information Technology Policy

User contact

Administrators have a duty to keep their users informed about computing matters that affect them. This includes systems security issues, acceptable use policy, system backup policy, system monitoring policy and legal obligations. Such information should be maintained and presented in a manner that ensures user awareness and understanding. Administrators should give advice, when sought, impartially and state any limitations in personal knowledge. Any conflicts of interest, which may arise concerning any advice or proposed actions, should be declared immediately. Administrators must not monitor or collect information regarding the activities of individuals unless specifically authorised to do so during an official incident handling procedure. This does not preclude the legitimate task of collecting and analysing anonymised information about systems performance and usage patterns associated with accepted operational procedures.

References

This policy is based on information gathered from a variety of sources including:

• Local procedures and experience
• Consultation with interested parties
• Other Organisations and Institutions